How to Develop Data Sharing Policy

Data Sharing Policy

Background

The issue with the current state of affairs is that there is a lot of information residing within various government ministries, departments and agencies in silos. A significant amount of resources is required to maintain, and this information do not necessarily provide a complete picture of the type of services the public and government departments use or require. This is exacerbated by the absence of national standards for the storage, use and handling of information. There is a requirement to provide seamless exchange and integration of information residing in silos.

In this backdrop, a project has been commissioned to develop an Information and Service classification framework that would define a process of providing integrated information and services in a holistic manner. The framework would seek to identify a common approach for identifying the sources, owners, level of sensitivity, level of security required of information and services. Also, it would facilitate the sharing of data and information between government organizations to improve productivity and transparency. The framework aims to provide an integrated platform for creation of a nationwide policy for sharing that data.

Scope

The Data Sharing Policy defined for applicable to all data created, generated, collected or archived by the Government of Sri Lanka through its associated departments/ ministries/ agencies using public funds. The data may be in electronic form or in form of manual records.

The policy shall ensure accessibility to data as per the security classification assigned to the data by the Data Classification framework of Government of Sri Lanka. The data classified as shareable by Data and Service Classification frameworks shall be made uniformly accessible to those who need and are authorized to use it. In the event where the data is sensitive, the data would be shared with authorized agencies/people with appropriate controls as defined in the data and service classification framework for the Government of Sri Lanka.

The objective of the policy is to define a set of guidelines and principles to help create an ecosystem for the enhanced access to the sharable data to relevant stakeholders protecting the rights of the information provider and the seeker. The policy shall define a framework that would facilitate pro-active sharing of periodically updated sharable data with Government of Sri Lanka. The policy shall be applicable to all data whether electronic or in the form of manual records.

“create an integrated platform to enable seamless sharing of information to the right people at the right time in a secure, reliable manner to promote mutual benefits to individuals, civil society and the country”

The policy intends to achieve the following outcomes

1. Seamless sharing of data within the departments and the public

With seamless sharing of information, a single window to deliver citizen centric services shall be created to serve the citizens in the most convenient and efficient manner. The policy is not only aimed at sharing data with public, but also will promote data sharing between the departments (on authorized or restricted access). This would be a key enabler for the departments using the same data for providing the services. In this case, the departments may not be required to collect the information again but can use the information available with other departments.

2. Creation of Integrated e-Service delivery

The project would also support implementation of 'e-Sri Lanka' where multiple stakeholder partnerships would be developed between the public sector, the private sector and the civil society, to 'take the dividends of ICT to every village, to every citizen, to every business and to transform the way the government thinks and works'. One of the key success factors to this enablement is the presence of an integrated service delivery platform which cannot be achieved without sharing of information based on appropriate classification levels.

3. Data is provided by Public

The data with government has been generated by public funds and hence as long as sharing of data is not harmful to the public interest or the national interests, it shall be made readily accessible to all.

4. Considerable percentage of data may not be sensitive

A large percentage of the data generated with government may not be sensitive and hence restricting the dissemination of such data only prevents the use of it for scientific, research, social and economic development purposes. Therefore the national level policy would help the sharable data to be used for such purposes, with appropriate controls.

5. Avoid duplication and data integrity issues

Various government departments and agencies require relevant data covering a broad range of economic and social indicators for planning and monitoring social and economic activities. In the absence of data sharing within the government, the same data gets generated separately for each department leading to the duplication of effort and wastage of time and public funds.

6. Protect the interests of all stakeholders

To promote sharing of data, it is imperative that necessary standards and safeguards are put in place in the form of a Data Sharing Policy to protect interests of both the data provider and the seeker.

7. Promote Open Government Data principles(opengovdata.org):

(a). Promoting interoperability standards – Integration with LIFe

(b). Classification of Information as an Asset

(c). Providing controls for completeness of the data

(d). Ensuring the timely delivery of the data accessible to the right people

8. Promote Open Government principles(www. opengovpartnership.org):

(b). Information access leading to reduction in corruption and inefficiencies

(c). Financial transparency in the system

(d). Bringing more accountability to provide information and to maintain its accuracy

(e). Integrated window for public services

(f). Promoting national level governance and citizen partnership

(g). Giving more access to departmental mandates, laws & insights into Government functioning

(h). Open data would lead to faster closure of service requests and public grievances based on time bound services and provide higher accountability

9. Creation of a governance framework

The policy also aims to create a governance framework to monitor and evaluate the implementation of data sharing framework in the government departments/ministries. Some of the steps include;

(a). A dedicated person must be designated to respond to people trying to use the data.

(b). A dedicated person must be designated to respond to complaints about violations of the principles.

(c). An administrative or judicial provision to review whether the agency has applied these principles appropriately.

The details of this are mentioned in the sections below.

10. Guidelines for the creation of legal, technical, operational and change management frameworks for data sharing

The policy also aims to provide guidelines for the creation of legal, technical, operational and change management frameworks for the implementation of data sharing framework in the government departments/ministries. A summary of guidelines to be mentioned under this section is mentioned here while details are mentioned in the sections below:A. Legal - Security Policies , Intellectual Property Rights (IPRs) and Privacy GuidelinesB. Technical - Delivery Mechanism, Connectivity, Data standards and records digitizationC. Operational - Implementation Plans and Risk managementD. Change Management - Trainings and Awareness Programs

Creation of a National Data Sharing Policy is an important step towards achieving Open data concepts and Right To Information in Sri Lanka. This National Data Sharing Policy receives its basis from the Service Classification framework which in turn is based on the Information/ Data Classification framework with the empowerment through Right To Information. The Department level Data Sharing Policy is derived from the National Data Sharing Policy and shall be in conformance to the same.

The key components of data sharing policy include:

Data Classification Framework – Data classification is based on the impact of sharing of information with different stakeholders. Based on the impact and findings, appropriate controls are identified.

Service Classification Framework – Service classification framework evolves from information/ data classification framework and aims to share Information Assets (Collection of data elements) as a service. The services are shared as either-Data Services or-Verification Services and can be shared at three levels – Open, Authorized and Restricted.

The security classification assigned to a service must at least be the same as the highest security classification of the data being shared or transferred during the course of service delivery.

Data Sharing Policy – The data sharing policy has been created based on the data/services classification frameworks. Within the ambit of the National Data Sharing policy, data sharing policies specific to the departments may be created which would provide the legal, operational, technical and change management frameworks to implement controls which needs to be placed for the effective sharing of information.

The following section describes the data sharing policy framework based on the global best practices and Sri Lanka Data & Service Classification frameworks.

5.1 Data Sharing Principles

Data sharing by government of Sri Lanka ministries, departments and agencies must adhere to the following principles:

A. Transparency

The data sharing policy must be aimed at bringing more transparency into the departmental functions. The department shall provide for sharing of data with respect to internal working of the department (unless specified by departmental mandate), the process for key services, contacts ofimportant people and the escalation procedures. The department shallalso provide time bound procedures for theservices offered on a transparent basis.

B. Protection of Intellectual Property

The department sharing the data shall protect the Intellectual property rights of both the department and the individuals. The data sharing policy for the department shall not bypass right to preserve the IPRs (Intellectual Property Rights) for the provided dataset and any changes to IPR policies for the department mandate shall be carried out in accordance to the rules and regulations that govern the departmental operations.

C. Protection of Data Privacy

Before sharing of information, the data privacy shall be considered well in advance. Currently Sri Lanka does not have any national policy on data privacy; however, consent of the information originators need to be taken before sharing their information. Similar arrangements are required for inter-departmental data sharing as well. However, data subject to privacy shall supersede the data sharing policy

D. Interoperability and linking to LIFe

Electronic data is stored in a multitude of formats of which large number of formats is mutually undecipherable. Thus, one government department saving its documents in a proprietary format may not allow for other departments/citizen to interact efficiently with those data sources. For such reasons, certain set standards shall be used by all government departments. To support this, an interoperability framework, LIFe (Lankan Interoperability Framework) has been defined by ICTA which governs the mechanism for providing data sharing standards. The data sharing policy for department shall be compliant to LIFe to facilitate nation wise adoption of LIFe.

E. Legal support and mandates

The department shall assume responsibility for supporting the data sharing through legal procedures and mandates. The department shall own the changes required to facilitate data sharing with other departments and public. The required changes may include:

Changes for IPRs and Data Privacy

MoU/MoA with different departments

F. Formal responsibility to enable and promote data sharing

The department shall assume formal responsibility to enable and promote data sharing. To facilitate data sharing, all the necessary process, teams and supporting technology shall be setup by the department.

G. Accountability of completeness and correctness of data

It is important to note that completeness and correctness of data is very important, therefore all necessary steps shall be taken by the department to maintain the integrity of the data. Inaccurate open data, such as weather information may lead to catastrophic effects and therefore it is important to ensure the accuracy of data.

H. Technical and Operational efficiency

The department shall make all efforts to share the data through technically and operationally efficient mechanisms. This shall mean that department shall make use of optimal techniques and guidelines so that data sharing does not become an additional burden on the departmental functioning. The department shall make necessary modification for optimization of processes for the seamless data exchange with minimal human effort.

I. Machine readable formats

It may be noted that not all open standards (such as PDF) are 'machine readable' so that that the data can be manipulated, reprocessed, visualized, mashed up with other data, or even made interactive. While it is desirable to have information organized in in open standards, it is also desirable for them to be in machine readable formats (such as well defined XML). In this regards the departmental policy shall mandate sharing of information in machine readable format.

J. Pricing

All data, metadata and statistical products declared as official statistics shall be FREE to ALL Users or applicable cost shall not be more than the recovery amount to cover reproduction or distribution costs.

Data which has to be shared under restricted and authorized access may be shared at a price decided by the government department or agency which is the owner of the data as per the policies of the government of Sri Lanka. The owner agency is the one which has created, generated or collected the data. All such costs must be communicated and published on websites; bulletin boards etc by concerned government departments in advance.

K. Maintenance of Data Quality

For ensuring the quality, integrity and authenticity of data good statistical compilation and dissemination practices must be adopted by the departments owning the data. Observance of procedures for data compilation and dissemination ensures high standards of professionalism.

Note: The department above refers to any organization/body/ministry / etc involved in the process of data sharing as either an information provider or an information seeker.

Data classification is the first step in moving towards a data sharing paradigm. Through this framework, the data elements are identified and classified based on the sensitivity and impact of the sharing of that information. The classification

model has following elements:

The major components in the framework include the following:

Classification Levels

A Classification Level represents confidentiality rating (or security rating) that must be applied to the informational assets.Four main levels of security classification markingshave been defined as part of the Information Classification framework; “Public”, “Limited Access”, “Confidential” and “Secret”.

Dissemination Limiting Markers (DLM)

Dissemination Limitation Markers supplement the security classification system for identifying official information. DLMs are markings for information where disclosure of information may be limited or prohibited by legislation or where it may otherwise require special handling. Departments/agencies are responsible for determining the appropriate protections to be applied to information bearing DLMs. DLMs have been categorized in the following four categories: Sensitive, Sensitive: Personal, Sensitive: Legal, and Sensitive Government.

Caveats

Caveats are warnings that specify or limit the people who can have access to the information. Use of caveats with information signifies that the information has special requirements in addition to those indicated by the protective marking. Information bearing agency specific caveats are to be re-labeled or appropriate procedures agreed up before the release or the transmission outside of that agency. The prior agreement of the originating agency—in other words, the agency that originally placed the caveat on the material—is required to remove a caveat. If the originating agency does not agree to the removal of the caveat, then the information cannot be released. The requirement to obtain agreement of the originating agency to release the material cannot be the subject of a policy exception under any circumstances.The following categories of security caveats are used: Eyes Only (EO), Permission Required (PR), When completed (WC), Do not release Until (DNRU).

Based on these elements, a framework has been defined encompassing methodology, process and necessary tools for data classification. A broad level flow diagram for the assignment of classification ratings to data elements is mentioned in Annexure 1 for reference. For further details on how to perform data classification, please refer the ―Data Classification Framework document.

The sharing of data is done via services and therefore a separate service classification framework has been defined based on the data classification framework. The model has also been aligned with the data sharing policy and defines the following key components.

Service Classification Level

Based on the type of security classification assigned, the access to the data may be regulated and limited to a selected group of individuals or operational units. While providing access it shall be noted that all government data is generated by using public funds and hence as far as possible access to the same should be unrestricted, easy, timely and user-friendly as long as the security and privacy requirements are preserved. Access provided to data held by government can be of following types.

1. Open Access

Data that may be accessible freely by any individual / agency and the access is provided without any process or registration / authorization is referred to as open data and is freely available to all.

2. Authorized Access

Access to data is restricted when data sets are accessible only through a prescribed process of registration / authorization by respective departments / organizations. Data having restricted access shall be made available to only the recognized institutions / organizations / public users, through defined procedures. The requester of such data may need to authenticate his / her identity and provide a valid reason to access the data in question by producing the correct documentation and authorizations.

3. Restricted Access

Data declared as restricted shall be accessible only through and under authorization to selected individuals or organizations based on a need to know basis.

Service Types

This refers to the information types being shared through the provided services. The service types are categorized into two broad categories as mentioned below:

1. Data Service

Some or all data elements within the data ―Asset can be shared depending on the derived sensitivity of the data Asset

2. Verification Only Service

Given a set of inputs, an answer as of Yes/No may be provided after the proper verifications are carried out in the source data bases.

Based on these elements, a framework has been defined encompassing a methodology, process and the necessary tools for Service classification. A broad level flow diagram for assignment of service classification based on data classification has been mentioned in Annexure 2 for reference. For further details on service classification, please refer the ―Service Classification Framework document.